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Current approaches to the engineering of space software such as satelUte control systems are based 
around the development of feedback controllers using packages such as MatLab's Simulink tool- 
box. These provide powerful tools for engineering real time systems that adapt to changes in the 
environment but are limited when the controller itself needs to be adapted. 

We are investigating ways in which ideas from temporal logics and agent programming can be 
integrated with the use of such control systems to provide a more powerful layer of autonomous 
decision making. This paper will discuss our initial approaches to the engineering of such systems. 



1 Introduction 



Modern control systems are limited in their ability to react flexibly and autonomously to changing situ- 
ations. The limiting factor is the complexity inherent in analysing situations where many variables are 
present. There are many complex, real-world, control systems but we are primarily interested in the 
(autonomous) control of satellite systems. 

Consider the problem of a single satellite attempting to maintain a geostationary orbit. Current 
satellite control systems maintain orbits using feedback controllers. These implicitly assume that any 
errors in the orbit will be minor and easily corrected. In situations where more significant errors occur, 
for example caused by a thruster malfunction, it is desirable to modify or change the controller. The 
complexity of the decision task is a challenge to standard approaches, and has led, for example, to 
complex, evolutionary control systems. These become very difficult to understand. 

We approach the problem from the perspective of rational agents [6]. We consider a satellite to be 
an agent which consists of a discrete (rational decision making) part and a continuous (calculation) part. 
The discrete part uses the Belief-Desire-Intention (BDI) theory of agency (SI and governs high level 
decisions about when to generate new feedback controllers. The continuous, calculational part is used to 
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derive controllers and to calculate information from continuous data which can be used in the decision 
making process; this part can be viewed as a hybrid system. 



2 Architecture 
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Figure 1 : Implemented Hybrid Agent Architecture 



Our prototype system is shown in Fig. [T] We have implemented a simulated environment and real 
time satellite control system in MatLab using the Simulink tool kit. The continuous agent part is also 
implemented in MatLab. MatLab has no easy provision for threaded execution which forces us to use 
separate instances for the Real Time aspects (i.e. the feedback controller and simulated environment) 
and for the Continuous Agent part. The agent also contains a discrete agent part which is currently 
implemented in the Gwendolen agent programming language^ Gwendolen [ 2 1 is implemented on top of 
Java. 

The real time control system sends information (which may be pre-processed) to the agent part of the 
system. When it acts, the discrete part of the agent may either cause the continuous agent part to perform 
some calculation (and wait for the results) or it may send an instruction to the real time control system to 
alter its controller. Since the new controller has been created "on the fly" by the continuous part, some 
aspects of this controller are stored in the shared file system (accessed by both MatLab processes). 

The discrete agent part is divided into an abstraction engine which takes continuous data supplied 
by the satellite simulation and transforms this data into discrete shared beliefs which are accessed by a 

'The choice of language was dictated entirely by convenience. It is a subject for further work to examine more widely used 
BDI-languages and evaluate which is most appropriate for the system. 
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reasoning engine which makes decisions about how to behave. The discrete part is split in two because 
reasoning is comparatively slow compared to the flow of data coming in from the simulation. It can 
become "clogged" up with the need to react to changing information if it tries to perform both the 
abstraction tasks and the reasoning tasks at once. The separation of abstraction and reasoning is both 
theoretically clean and practical at an implementational level. 



3 BDI Programming Aspects 

The architecture lets us represent the high-level decision making aspects of the program in terms of the 
beUefs and goals of the agent and the events it observes. So, for instance, when the agent observes the 
event that the satellite is in a new position (information relayed to it by the real time controller) it can call 
on the continuous part to calculate whether this position is within acceptable bounds of the desired orbit 
(i.e. whether the existing real-time controller is capable of maintaining the orbit). If, as a result of this, it 
gains a belief that the satellite has strayed from the orbit it can request the continuous part to calculate a 
new path for the satellite to follow using techniques described in fT]. 

Similarly, if the satellite has strayed from its bounds, the discrete agent part can examine its beliefs 
about the current status of the thrusters and, if necessary, instruct the continuous part to generate a new 
feedback controller which takes into account any malfunctions or inefficiencies in the thrusters. 

Such programs can be expressed compactly in the BDI-programming style without the need for 
programming large decision trees to consider all possible combinations of thruster status and satellite 
positions. This should then reduce the probability of error in the decision-making parts of the program 
and opens the possibility that existing techniques for model checking such programs Q can be adapted 
to verify this part. 



3.1 Geostationary Orbit Case Study 



The agent code for the geostationary orbit is shown in code fragments 3.1 and 3.2 Fragment 3.1 shows 
the code for the abstraction engine. Every time it "perceives" the satellite position (stateinf o) it calls 
upon MatLab to calculate whether or not this position is within bounds (comp_distance) and then 
asserts and removes shared beliefs appropriately. 

The code is shown as a series of plans of the form t rigger : { guard } -f- deeds where the trigger is 
some event observed by the agent, the guard is a set of facts that must be true before the plan is activated 
and the deeds are a stack of deeds to be executed. +b is the addition of a belief, b, and -b is the removal 
of the belief, b. In a guard ^ b means that b is believed. 

Code fragment 3.1 Geostationary Orbit Control (Abstraction Engine) 



+ stateinf o (LI, L2, L3, L4, L5, L6) : i 

proximity_to_centre (VI ) } 2 

comp_distance (LI, L2, L3, L4, L5, L6, Val) , 3 

+proximitY_to_centre (Val) ; 4 

5 

+proximity_to_centre (in) : {I^ proximity_to_centre (out ) } 4— 6 
-proximity_to_center (out ) , 7 
remove_shared (proximity_to_centre (out) ) , 8 
assert_shared (proximity_to_centre (in) ) ; 9 

10 

+proximity_to_centre (out) : 11 
[S§ proximity_to_centre (in) , 12 
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^ stateinf o (Ll, L2, L3, L4, L5, L6) } ^ 13 

-proximitY_to_centre (in) , 14 

remove_shared (stateinf o (Al, A2, A3, A4, A5, A6) ) , 15 

assert_shared (stateinf o (LI, L2, L3, L4, L5, L6) ) , I6 

remove_shared (proximity_to_centre (in) ) , 17 

assert_shared (proximity_to_centre (out ) ) ; is 



Fragment 3.2 reacts to the dynamic information about whether the satellite is within bounds or not. 
It may call a MatLab function, plan_approach_to_centre which returns the name of a plan to 
move a satellite back within bounds. apply_controls and maintain_path are actions applied to the 
simulation of the satellite which apply a named plan, or continue normal operation as appropriate. The 
syntax + ! g indicates the acquisition of a goal. 

Code fragment 3.2 Geostationai-y Orbit Conti-ol 



+proximity_to_centre (out) : {T} 1 

-proxiinity_to_centre (in) , 2 

+ ! get_to_centre; 3 

4 

+proximity_to_centre (in) : {T} ^ 5 

-proximity_to_oentre (out) , 6 

maintain_path; 7 

8 

+ ! get_to_centre : 9 
{3S proximity_to_centre (out) , 10 
stateinf o (LI, L2, L3, L4, L5, L6) } <- 11 
plan_approach_to_centre (P , loon (LI, L2, L3, L4, L5, L6) ) , 12 
+ ! try_execute (P ) ; 13 

14 

+ ! try_execute (P ) : proximity_to_centre ( out ) } ^ 15 

apply_controls (P) ; 16 



3.2 Decision and Control 

The important aspect of both the above example and the architecture in general is that the (MatLab) con- 
trol systems take care of the detailed calculation of continuous functions (paths, etc), while the rational 
agent takes care of high-level decisions about targets and plans. This separation of concerns simplifies 
both parts and avoids the problems associated with large, opaque, complex, adaptive and evolutionary 
control systems. 



4 Future Work 



We are currently working on our prototype system and case study which will allow us to make com- 
parisons of this agent approach to autonomous decision-making in satellite systems to approaches based 
on finite state machines and standard control. We also are interested in investigating the use of tempo- 
ral logic and model checking to generate forward planning capabilities for the agent along the lines of 
those investigated by Kloetzer and Belta [3|. We aim to explore the possibility of using model checking 
to verify aspects of the agent's behaviour. Given that we already have a formal verification system for 
Gwendolen agents lUl, there is a strong possibility that we can extend this to cope with (abstractions 
of) the continuous part. As the diagram below shows, we already have model-checking tools for the 
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discrete/finite parts. Our interest now is how far such techniques can be extended to account for other 
aspects of the agent's behaviour. 
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